BAXTER INTERNATIONAL INC - (BAX)
10-K Filing Date: February 08, 2024
Item 1C. Cybersecurity.
We assess, identify and manage risks from cybersecurity threats through our Global Cybersecurity and Compliance Program (Cybersecurity Program), which is part of our larger enterprise risk management framework. The Cybersecurity Program is currently overseen by the Audit Committee and Quality, Compliance and Technology Committee (QCT Committee) of the Board of Directors and is managed by a dedicated Chief Information Security Officer (CISO), whose organization has oversight of cybersecurity strategy, policy, standards, architecture and processes for the security of our enterprise network, information assets and medical device technologies. Our current CISO has over 20 years of experience in cybersecurity and has held numerous positions in the cybersecurity sector, including serving as Global Cyber Risk Officer at another Fortune 500 medical products and equipment company and CISO at another healthcare company. The CISO’s organization monitors and manages, and works to identify and assess, cybersecurity risk through various technologies, resources, processes and policies that are regularly updated to align with the changing threat landscape, our evolving business needs as well as global regulatory requirements. In addition, from time to time, we also utilize external auditors and assessors to help evaluate our Cybersecurity Program, including our control measures, and to assist in conducting risk and maturity assessments. We also actively engage with industry experts, regulatory agencies, advocacy groups, intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our Cybersecurity Program.
We use a range of defenses to help protect against cybersecurity threats and to work to secure our assets, reduce detection time and improve recoverability, such as the ongoing monitoring of our systems, including with the assistance of third party vendors, conducting routine exercises with employees and senior management, including our executive officers, to promote awareness and improve internal processes, and engaging with proxy advisors and external cybersecurity rating agencies that assess our cyber risk to improve our internal evaluations and vulnerability management processes. In addition, to help promote privacy and security awareness throughout the company, all employees with a valid Baxter email address receive annual training and access to virtual events and updated materials. Further, our Third-Party Risk Management Program includes assessment and monitoring of security standards and control procedures for external suppliers and vendors, with enhanced engagement or internal controls depending on the results of the assessment.
The Cybersecurity Program maintains a cybersecurity governance and oversight framework that seeks to drive accountability for all levels of employees, including senior management and executive officers. Cybersecurity matters are generally managed by a combination of working groups led by senior management that report to the cybersecurity steering committee or cybersecurity executive oversight committee, as appropriate, on matters such as, among other things, enterprise level cybersecurity initiatives and directives, threat intelligence and product cybersecurity risks and remediations. Our cross functional cybersecurity steering committee, which is led by the CISO, is composed of members of senior management, including the Chief Information Officer, and reviews matters such as product security escalations, critical remediations and disclosure recommendations. The output from the
29
steering committee meetings is discussed at meetings of Baxter’s cybersecurity executive oversight committee, which is led by the CISO and includes the Chief Executive Officer, Chief Financial Officer, General Counsel, Chief Compliance & Trust Officer and our business segment presidents. The cybersecurity executive oversight committee meets quarterly, oversees enterprise and cybersecurity risk management and reports to the Audit Committee and QCT Committee of the Board. The Audit Committee currently oversees our information technology functions generally, including non-product-related cybersecurity matters, and the QCT Committee oversees product or service-based information technology matters, including with respect to product cybersecurity matters. The Audit Committee is also responsible for the oversight of any cybersecurity incident, including ones related to our products and services. Both committees receive updates from management on cybersecurity-related topics within their purview throughout the year. Additionally, the full Board generally receives periodic updates on information technology and cybersecurity matters from management and external advisors.
The CISO maintains and annually updates a Cybersecurity Incident Response Plan which is a guide for our Cyber Security Incident Response Team to respond effectively and efficiently to cybersecurity incidents in a coordinated manner in the interest of minimizing the risk of harm to our patients, customers, operations, partners, employees and third parties, consistent with our legal obligations. Cybersecurity risks and threats, including as a result of any previous cybersecurity incidents, have not materially impacted and are not reasonably expected to materially impact us or our operations to date. However, we recognize the ever-evolving cyber risk landscape and cannot provide any assurances that we will not be subject to a material cybersecurity incident in the future. See Item 1A. Risk Factors “Breaches and breakdowns affecting our information technology systems or protected information, including from cyber security breaches and data leakage, could have a material adverse effect on our business, results of operations, financial condition, cash flows, reputation and competitive position” for a discussion of cybersecurity-related risks.